Cisco Duo (MFA) Multi-Factor Authentication

Duo (MFA) Multi-Factor Authentication correlates endpoint data and MFA data to spot anomalous user behavior so that you can quarantine potential compromised accounts or internal threats.

This package supports the following log types:

The parser normalizes data to a common schema based on CrowdStrike Parsing Standard (CPS). This schema allows you to search the data without knowing the data specifically, and just knowing the common schema instead. It also allows you to combine the data more easily with other data sources which conform to the same schema.

Breaking Changes

This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.

Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.

See CrowdStrike Parsing Standard (CPS) for more details on the new parser schema.

Follow the CPS Migration to update your queries to use the fields and tags that are available in data parsed with version 1.0.0.

Installing the Package in LogScale

Find the repository where you want to send the Cisco Duo (MFA) Multi-Factor Authentication events, or Creating a Repository or View.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for Cisco Duo (MFA) Multi-Factor Authentication (i.e. cisco/duo).

  3. In the right panel, click + Add Token to create a new token. Give the token an appropriate name , and assign the parser that corresponds to the type of log you are ingesting.

    Ingest Token

    Figure 19. Ingest Token


    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

    Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

Configurations and Sending the Logs to LogScale

To get logs from Duo MFA into LogScale, you can use the Duo Log Sync which allows you to pull logs for adminaction, auth, telephony, activity endpoints and next send them into LogScale via the Log Collector.

First, in order to ingest data from the Duo Admin API you must follow the steps from Duo documentation to generate the integration key, secret key and API hostname. Those values will be required in next steps when configuring the Duo Log Sync

Follow the installation steps for the Duo Log Sync. Make sure to add the Duo keys as well as the Log Collector details into the config.yml.

Note: Each Duo endpoint should be configured to send the logs to different LogCollector ports to set the parser corresponding to the log type

Example Configurations:

yaml
version: "1.0.0"
     
     dls_settings:
     log_filepath: "/tmp/duologsync.log"
     log_format: "JSON"
     
     api:
     offset: 180
     timeout: 120
     
     checkpointing:
     enabled: True
     directory: "/tmp"
     
     #this is an example IP of the LogScale Collector 
     servers:
     - id: "logcollector_adminaction"
     hostname: "127.0.0.1"
     port: 1514
     protocol: "TCP"
     - id: "logcollector_activity"
     hostname: "127.0.0.1"
     port: 1515
     protocol: "TCP"
     - id: "logcollector_auth"
     hostname: "127.0.0.1"
     port: 1516
     protocol: "TCP"
     - id: "logcollector_telephony"
     hostname: "127.0.0.1"
     port: 1517
     protocol: "TCP"
     - id: "logcollector_trustmonitor"
     hostname: "127.0.0.1"
     port: 1518
     protocol: "TCP"
     
     # The following keys are generated in the DUO Admin API console
     account:
     ikey: "admin-api-ikey"
     skey: "admin-api-skey"
     hostname: "host.name.com"
     
     # Here we are matching Duo MFA logs to LogScale
     endpoint_server_mappings:
     - endpoints:
     ["trustmonitor"]
     server: "logcollector_trustmonitor"
     - endpoints:
     ["adminaction"]
     server: "logcollector_adminaction"
     - endpoints:
     ["activity"]
     server: "logcollector_activity"
     - endpoints:
     ["auth"]
     server: "logcollector_auth"
     - endpoints:
     ["telephony"]
     server: "logcollector_telephony"
     
     is_msp: false

Example LogScale Collector Configuration to send logs to LogScale, see the LogScale Collector Documentation for more information Sources & Examples

yaml
sources:
  # Collect adminaction logs.
  adminaction:
    type: syslog
    mode: tcp
    port: 1514
    supportsOctetCounting: false
    strict: false
    sink: logscale_adminaction
  # Collect activity logs
  activity:
    type: syslog
    mode: tcp
    port: 1515
    supportsOctetCounting: false
    strict: false
    sink: logscale_activity
 # Collect auth logs
  auth:
     type: syslog
     mode: tcp
     port: 1516
     supportsOctetCounting: false
     strict: false
     sink: logscale_auth
# Collect telephony logs
  telephony:
    type: syslog
    mode: tcp
    port: 1517
    supportsOctetCounting: false
    strict: false
    sink: logscale_telephony
# Collect trustmonitor logs
  trustmonitor:
    type: syslog
    mode: tcp
    port: 1517
    supportsOctetCounting: false
    strict: false
    sink: logscale_trustmonitor
sinks:
  logscale_adminaction:
    type: logscale
    # Replace with your ingest token for admin action logs
    token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    # Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
    url: https://XXX.YYY.ZZZ
  logscale_activity:
    type: logscale
    # Replace with your ingest token activity logs
    token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    # Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
    url: https://XXX.YYY.ZZZ
  logscale_auth:
    type: logscale
    # Replace with your ingest token for auth logs
    token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    # Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
    url: https://XXX.YYY.ZZZ
  logscale_telephony:
    type: logscale
    # Replace with your ingest token for telephony logs
    token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    # Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
    url: https://XXX.YYY.ZZZ
  logscale_trustmonitor:
    type: logscale
    # Replace with your ingest token for telephony logs
    token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    # Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
    url: https://XXX.YYY.ZZZ

Verify Data is Arriving in LogScale

Once you have completed the above steps the Cisco Duo (MFA) Multi-Factor Authentication data should be arriving in your LogScale repository.

You can verify this by doing a simple search for the events:

logscale
#Vendor = "cisco" 
|#event.module="duo"

Package Contents Explained

This package parses incoming data, and normalizing the data as part of that parsing. The parser normalizes the data to CrowdStrike Parsing Standard (CPS) schema based on OpenTelemetry standards, while still preserving the original data.

If you want to search using the original field names and values, you can access those in the fields whose names are prefixed with the word Vendor. Fields which are not prefixed with Vendor are standard fields which are either based on the schema (e.g. source.ip) or on LogScale conventions (e.g. @rawstring).

The fields which the parser currently maps the data to, are chosen based on what seems the most relevant, and will potentially be expanded in the future. But the parser won't necessarily normalize every field that has potential to be normalized.

Event Categorisation

As part of the schema, events are categorized by fields:

  • event.* (e.g. ,event.kind, event.type, event.outcome , event.category)

event.category is an array so needs to be searched using the following syntax:

logscale
array:contains("event.category[]", value="network")

For example, the following will find events where some event.type[n] field contains the value network, regardless of what n is.

Note that not all events will be categorized to this level of detail.

Normalized Fields

Here are some of the normalized fields which are being set by this parser:

  • event.* (e.g event.kind, event.type, event.category, event.outcome, event.dataset, event.module, event.id, event.reason)

  • source.* (e.g source.geo.country, source.user.id, source.geo.region, source.user.email, source.user.name, source.user, source.address, source.ip, source.geo.city )

  • ecs* (e.g. ecs.version )

  • destination* (e.g destination.user.id, destination.user.name)

  • user_agent.* (e.g user_agent.os.version, user_agent.os.name, user_agent.version, user_agent.name)

  • user.* (e.g. user.id )

  • geo.* (e.g geo.country, geo.region, geo.city)

  • url.* (e.g url.original, url.host, url.domain)

  • os.* (e.g os.version, os.name)

  • user.* (e.g user.name, user.id, user.email, user.key)

  • device.* (e.g device.os, device.hostname, device.location.country, device.browser, device.location.state, device.location.city, device.ip)